Installation

Finding out which users have certain software installed

lewis_c26
Engager

I have been set a task at work to find out:
Which users have certain bits of software installed on their machine and have access to it, for licensing reason.
is there a simple search that can be done that creates a .csv file in the end that i can send t the manager.
Also needs to be able to be done with other bits of software.

Excuse the lack of knowledge i am new to Splunk and still leaning my way around.

Tags (2)
0 Karma

dglass0215
Path Finder

Take a look at the splunk add on for windows app (https://docs.splunk.com/Documentation/WindowsAddOn/7.0.0/User/SourcetypesandCIMdatamodelinfo) if you are not already using it. This has a sourcetype - Script:InstalledApps which will index all the installed applications.

lewis_c26
Engager

@dglass0215 Is there a feature/search so that you can search for a specific application installed on all of the computers? Thank you

0 Karma

dglass0215
Path Finder

You can use the field named "DisplayName". Something like this:

sourcetype="Script:InstalledApps" DisplayName="\"McAfee*"\"

0 Karma

lewis_c26
Engager

I am doing this search:
index=windows sourcetype="Script:InstalledApps" DisplayName="Microsoft Visio Viewer 2013"
| fields host,DisplayName
| dedup host, DisplayName | eval
| fields host,DisplayName,UserName |stats values(DisplayName) AS Applications by host Last_Seen

And i get this error;
Error in 'eval' command: Arguments are missing. Usage: eval dest_key = expression.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Could you advise?

0 Karma

wmyersas
Builder

your eval isn't eval'ing anything

try

index=windows sourcetype="Script:InstalledApps" DisplayName="Microsoft Visio Viewer 2013"
| stats values(DisplayName) as Applications by host Last_Seen
0 Karma

lewis_c26
Engager

i tried that, i forgot to add the host=* so that it also displays the host name of the computer

index=windows sourcetype="Script:InstalledApps" DisplayName="Microsoft Visio Viewer 2013" host=*
| stats values(DisplayName) as Applications by host Last_Seen

This still didn't work, there is no error; just no events found despite this software being installed on at least 50 machines

0 Karma

wmyersas
Builder

is DisplayName is multivalue field?

If so, you may have some issues

try | stats count by DisplayName host Last_Seen maybe

0 Karma

lewis_c26
Engager

@wmyersas i dont know what a multivalue field is in Splunk as i am still new to it

@dglass0215 i have run the search;
index=windows sourcetype="Script:InstalledApps" DisplayName="\"Microsoft Visio Viewer 2013"\"
| stats values(DisplayName) as Applications by host Last_Seen
and it still is not displaying the list of computers with that installed.

0 Karma

dglass0215
Path Finder

When you run a query and do not get any results, you need to lessen the criteria until you do to help figure out where the problem is.

For example: Do you get data if you search sourcetype="Script:InstalledApps" DisplayName="\"Microsoft Visio Viewer 2013"\"

0 Karma

lewis_c26
Engager

no nothing is displayed

0 Karma

dglass0215
Path Finder

OK, so you need to look further into exactly what is in the DisplayName when you run just the query sourcetype="Script:InstalledApps"

0 Karma

dglass0215
Path Finder

Do you have events if you just search sourcetype="Script:InstalledApps"

0 Karma

lewis_c26
Engager

Yes it displayed all of the installed software

0 Karma

dglass0215
Path Finder

oh... for DisplayName you need DisplayName="\"Microsoft Visio Viewer 2013"\"

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@lewis_c26

Can you please share more details about events you are collecting from user's machine?? Like sample events, OR any App/TA you are using for data collection.

0 Karma

lewis_c26
Engager

@kamlesh_vaghela

The Computer Name (Hostname), IP Address, User who is currently logged on, IP Address, Manufacturer, MAC Address, the domain and then the installed software and updates. All of this is collected using the Universal Forwarder and displayed on a handy dashboard. I believe there is more data and events collected but the above is what i am aware of.
Thanks for the help.

0 Karma

wmyersas
Builder

If you already have it on a dashboard, just export the dashboard's results into a CSV

Alternatively, open the dashboard panel in search, make and tweaks/changes, and then export those results in a CSV

0 Karma

MuS
SplunkTrust
SplunkTrust

Or take that search save it as scheduled report and send it directly to your manager, no manual actions needed 😉

cheers, MuS

lewis_c26
Engager

Is it possible to give some more details on what search i could do to get the data on who has what software before generating the report to send to the user?

0 Karma

wmyersas
Builder

What are you actually trying to accomplish?

A per user report (to distribute to each user)?

What's on the dashboard you currently have?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...